View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009503Kali LinuxKali Package Bugpublic2026-01-15 01:432026-01-17 13:01
Reportererikdervishi Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009503: Steghide 0.5.1-15 crashes (stack smashing detected) on long paths, causing sensitive data leak via core dump
Description

Package: steghide Version: 0.5.1-15 Architecture: amd64 Maintainer: Debian Security Team

Scenario: I installed steghide from the official Kali Linux repositories. I attempted to embed data into a valid WAV file located in a directory path that, combined with the filename, exceeds 200 bytes in length. Upon execution, the application crashes immediately.

Analysis: The crash is caused by a stack-based buffer overflow in src/Embedder.cc. The application uses an unsafe sprintf call to write the status message into a fixed-size buffer (char buf[200]) without bounds checking. The system's Stack Smashing Protector (SSP) correctly detects this violation and terminates the process to prevent arbitrary code execution.

Error Message:
buffer overflow detected : terminated
Aborted (core dumped)

Impact Analysis:

  1. Denial of Service (DoS): The application crashes reliably (Always reproducible).
    2.Information Disclosure (Critical): The crash happens after sensitive user data (passphrase and secret payload) has been loaded into memory. I have verified by analyzing the generated core dump (using strings) that the user's passphrase is written to disk in plain text within the crash dump file.

System Information:
Kernel (uname -a): Linux eriknet 6.12.25-amd64 0000001 SMP PREEMT_DYNAMIC kali 6.12.25-1kali1 (2025-04-30) x86_64 GNU/linux
C Library (dpkg -s libc6 | grep ^Version): Version: 2.41-6

Proposed Fix: The original upstream project is inactive. I have submitted a patch to the community fork (StegHigh) that replaces the unsafe sprintf with snprintf. Pull Request: https://github.com/StegHigh/steghide/pull/21

Steps to Reproduce:

  1. Create a script named reproduce_issue.sh with the following content:

#!/bin/bash

1. Enable core dumps to verify leak

ulimit -c unlimited

2. Define long path > 200 bytes

LONG_DIR=$(python3 -c "print('A' 200)")
LONG_NAME=$(python3 -c "print('A' 200 + '.wav')")
mkdir -p "$LONG_DIR"

3. Generate valid 50KB WAV file (Header + Silence)

Required to bypass initial file format checks and reach the vulnerable code

python3 -c "
import struct
file_path = '$LONG_DIR/$LONG_NAME'
total_len = 50000
data_len = total_len - 36
with open(file_path, 'wb') as f:
f.write(b'RIFF' + struct.pack('<I', total_len) + b'WAVEfmt ' + struct.pack('<I', 16) + struct.pack('<HHIIHH', 1, 1, 44100, 44100, 2, 16) + b'data' + struct.pack('<I', data_len))
f.write(b'\x00' * data_len)
"

4. Create dummy secret

echo "secret data" > secret.txt

5. Run Steghide with a specific password

echo "Launching steghide with password 'MY_SECRET_PASS'..."
steghide embed -cf "$LONG_DIR/$LONG_NAME" -ef secret.txt -p MY_SECRET_PASS

  1. Make the script executable (chmod +x reproduce_issue.sh) and run it: ./reproduce_issue.sh

3 .Verify the Data Leak: Locate the core dump and search for the password string.

Using coredumpctl (systemd default on Kali)

coredumpctl dump steghide > crash.dump
strings crash.dump | grep "MY_SECRET_PASS"

Result: The strings command outputs MY_SECRET_PASS multiple times, confirming the passphrase leaked to disk.

Activities

kali-bugreport

kali-bugreport

2026-01-16 06:18

reporter   ~0021256

You know that you should report this to the development team of that software itself?
erikdervishi

erikdervishi

2026-01-16 10:27

reporter   ~0021259

I would normally report this upstream, but the original project on SourceForge is abandoned and unmaintained (last update was in 2005). There is no active upstream development team to report to anymore.

Since Kali and Debian continue to ship this package, and this is a reproducible security vulnerability (Stack Buffer Overflow causing Information Disclosure via core dumps), the fix needs to be applied at the distribution packaging level (e.g., via debian/patches).

A fix is already available in the community fork "StegHigh" (PR 0000021), which simply replaces the unsafe sprintf with snprintf
kali-bugreport

kali-bugreport

2026-01-16 10:34

reporter   ~0021260

Last edited: 2026-01-16 10:40

What about https://github.com/StegHigh/steghide which is (some kind of active), has an issue tracker and allows fixes via pull requests?

A GitHub org, StegHigh has been set up to maintain steghide. Please submit all PRs, discussions, and issues there.

Distro patches for upstream issues without notification to upstream by the reporter is probably the last resort which sould be taken.
kali-bugreport

kali-bugreport

2026-01-16 11:06

reporter   ~0021262

Last edited: 2026-01-16 18:03

Ah, https://github.com/StegHigh/steghide/pull/21 is what has been meant with "community fork" (which seem actually the official repo and not the fork based on the previous quote) so all good.

Correct way probably would be:

  1. Communicate with upstream first (which is basically done with the PR)
  2. Get a CVE assigned if the report is valid (so that all Linux Distros are getting aware of this more easily)
  3. Create the PR (which had been already done)
  4. After the PR was reviewed and merged either:
    1. Ask upstream to make a release (so the fix will arrive for all Distros and not only Kali)
    2. Kali team is pulling the approved and merged patch (Not sure if they can judge on the validity / have the manpower for this without upstream. This would only solve the flaw in Kali and not in other Distros)
  5. EOF
erikdervishi

erikdervishi

2026-01-16 16:14

reporter   ~0021267

Ok, thanks! I have requested the CVE and will update this thread as soon as I get the ID
Shopyle

Shopyle

2026-01-16 17:18

reporter   ~0021268

Kali-bugreport can i ask how can i join to your side as a programmer on discord group they advice to come on here
kali-bugreport

kali-bugreport

2026-01-16 18:06

reporter   ~0021269

Nice, i think this will benefit all Linux distributions if a CVE will get assigned.

It seems the Tool is also getting pulled / imported by Kali from Debian:

https://pkg.kali.org/pkg/steghide

and once it received a fix in Debian it will also automatically land in Kali.
Shopyle

Shopyle

2026-01-16 18:26

reporter   ~0021270

And how is if i want to build new tool lets say tool for tracking so where can i post it
kali-bugreport

kali-bugreport

2026-01-16 19:04

reporter   ~0021271

Last edited: 2026-01-17 13:01

@Shopyle No idea what you are talking about and i don't care.

If you are not a spambot please stop posting completely unrelated stuff like this here in random unrelated issues.

Issue History

Date Modified Username Field Change
2026-01-15 01:43 erikdervishi New Issue
2026-01-16 06:18 kali-bugreport Note Added: 0021256
2026-01-16 10:27 erikdervishi Note Added: 0021259
2026-01-16 10:34 kali-bugreport Note Added: 0021260
2026-01-16 10:40 kali-bugreport Note Edited: 0021260
2026-01-16 11:06 kali-bugreport Note Added: 0021262
2026-01-16 12:36 kali-bugreport Note Edited: 0021262
2026-01-16 16:14 erikdervishi Note Added: 0021267
2026-01-16 17:18 Shopyle Note Added: 0021268
2026-01-16 18:03 kali-bugreport Note Edited: 0021262
2026-01-16 18:06 kali-bugreport Note Added: 0021269
2026-01-16 18:26 Shopyle Note Added: 0021270
2026-01-16 19:04 kali-bugreport Note Added: 0021271
2026-01-16 19:45 kali-bugreport Note Edited: 0021271
2026-01-17 13:01 kali-bugreport Note Edited: 0021271